CVE-2024-13833
📋 TL;DR
This vulnerability in the Album Gallery WordPress plugin allows authenticated attackers with Editor-level access or higher to inject PHP objects through insecure deserialization of gallery metadata. The impact depends on whether other plugins or themes with POP chains are installed on the same WordPress site. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Album Gallery – WordPress Gallery plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
If a POP chain is present via another plugin/theme, attackers could execute arbitrary code, delete files, or steal sensitive data, potentially leading to complete site compromise.
Likely Case
Limited impact since no POP chain exists in the vulnerable plugin itself; attackers can only inject objects that may cause errors or minor disruptions unless other vulnerable components are present.
If Mitigated
With proper access controls limiting Editor roles and no vulnerable plugins/themes installed, the vulnerability has minimal practical impact.
🎯 Exploit Status
Requires authenticated Editor-level access and depends on presence of POP chains in other installed components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3246291/new-album-gallery
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Album Gallery – WordPress Gallery'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the vulnerable plugin until patched
wp plugin deactivate new-album-gallery
wp plugin delete new-album-gallery
Restrict Editor roles
allLimit number of users with Editor-level access or higher
🧯 If You Can't Patch
- Disable the Album Gallery plugin immediately
- Audit and remove any plugins/themes with known POP chains to reduce attack surface
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Album Gallery – WordPress Gallery' version 1.6.3 or earlierCheck Version:
wp plugin get new-album-gallery --field=versionVerify Fix Applied:
Verify plugin version is 1.6.4 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual PHP deserialization errors in WordPress debug logs
- Unexpected gallery metadata modifications by Editor users
Network Indicators:
- POST requests to wp-admin/admin-ajax.php with serialized PHP objects in parameters
SIEM Query:
source="wordpress.log" AND ("PHP Warning: unserialize" OR "new-album-gallery")